Not sure if this is relevant to the problem of pcdoc.
Letsencrypt says, they need access to port 80 and do follow re-directions. I do confirm this. As well, as the port 443 has also to be opened. And both ports also in outbound. For me it was not easy to point out, that first choice for letsencrypt is AAAA in the DNS records of the domain and hosts, you want to cert. This point is quite important. If not all hosts you want to cert are set up with an AAAA record dehydrated will fail. The safe way (for me) is to temporarely delete all AAAA records and re-run manually dehydrated -c.
This might depend on my installation as my server is running behind a firewall. If so, there are a few more cavecats. I.e. I have to disable a port-forward rule to the webproxy, for the manually renewal of the certs. The comment in the opnsense forum is: "Status 400 ist ein Syntaxfehler. Vermutlich macht der Client was, was der Proxy nicht versteht...
https://forum.opnsense.org/index.php?topic=5201.0" Translation: Syntax error. Probably the client is doing something the proxy does not understand. Worst case would be, that the client does not truely act with the HTTP-protocol. Therefore the proxy rejects the connection ..." I didn't check with i.e. wireshark the packets, so I don't know what really happens.
The interesting thing for me is that the letsencrypt people say, that if .well-known/acme-challenge is accessable through port 80 (I ran several test with different browsers from different IP's to access a file I created in acme-challenge), with and without redirection to ssl, dehydrated should run fine and the renewal should work. Not working in my case. I am able to access my test file through my firewall - but dehydrated fails mostly with a timeout error. All rules on my firewall seems to be correct. Dehydrated is only running through if I bypass the proxy. Besides the IP6 settings in the DNS records. Maybe it's an opnsense issue, I don't know.
One thing is for sure - you need to have full access not only to your server...
regards,
stefan